Mapping PodSecurityPolicies to Pod Security Standards

The tables below enumerate the configuration parameters on PodSecurityPolicy objects, whether the field mutates and/or validates pods, and how the configuration values map to the Pod Security Standards.

For each applicable parameter, the allowed values for the Baseline and Restricted profiles are listed. Anything outside the allowed values for those profiles would fall under the Privileged profile. "No opinion" means all values are allowed under all Pod Security Standards.

For a step-by-step migration guide, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.

PodSecurityPolicy Spec

The fields enumerated in this table are part of the PodSecurityPolicySpec, which is specified under the .spec field path.

Mapping PodSecurityPolicySpec fields to Pod Security Standards
PodSecurityPolicySpecTypePod Security Standards Equivalent
privilegedValidatingBaseline & Restricted: false / undefined / nil
defaultAddCapabilitiesMutating & ValidatingRequirements match allowedCapabilities below.
allowedCapabilitiesValidating

Baseline: subset of

  • AUDIT_WRITE
  • CHOWN
  • DAC_OVERRIDE
  • FOWNER
  • FSETID
  • KILL
  • MKNOD
  • NET_BIND_SERVICE
  • SETFCAP
  • SETGID
  • SETPCAP
  • SETUID
  • SYS_CHROOT

Restricted: empty / undefined / nil OR a list containing only NET_BIND_SERVICE

requiredDropCapabilitiesMutating & Validating

Baseline: no opinion

Restricted: must include ALL

volumesValidating

Baseline: anything except

  • hostPath
  • *

Restricted: subset of

  • configMap
  • csi
  • downwardAPI
  • emptyDir
  • ephemeral
  • persistentVolumeClaim
  • projected
  • secret
hostNetworkValidatingBaseline & Restricted: false / undefined / nil
hostPortsValidatingBaseline & Restricted: undefined / nil / empty
hostPIDValidatingBaseline & Restricted: false / undefined / nil
hostIPCValidatingBaseline & Restricted: false / undefined / nil
seLinuxMutating & Validating

Baseline & Restricted: seLinux.rule is MustRunAs, with the following options

  • user is unset ("" / undefined / nil)
  • role is unset ("" / undefined / nil)
  • type is unset or one of: container_t, container_init_t, container_kvm_t, container_engine_t
  • level is anything
runAsUserMutating & Validating

Baseline: Anything

Restricted: rule is MustRunAsNonRoot

runAsGroupMutating (MustRunAs) & ValidatingNo opinion
supplementalGroupsMutating & ValidatingNo opinion
fsGroupMutating & ValidatingNo opinion
readOnlyRootFilesystemMutating & ValidatingNo opinion
defaultAllowPrivilegeEscalationMutatingNo opinion (non-validating)
allowPrivilegeEscalationMutating & Validating

Only mutating if set to false

Baseline: No opinion

Restricted: false

allowedHostPathsValidatingNo opinion (volumes takes precedence)
allowedFlexVolumesValidatingNo opinion (volumes takes precedence)
allowedCSIDriversValidatingNo opinion (volumes takes precedence)
allowedUnsafeSysctlsValidatingBaseline & Restricted: undefined / nil / empty
forbiddenSysctlsValidatingNo opinion
allowedProcMountTypes
(alpha feature)
ValidatingBaseline & Restricted: ["Default"] OR undefined / nil / empty
runtimeClass
 .defaultRuntimeClassName
MutatingNo opinion
runtimeClass
 .allowedRuntimeClassNames
ValidatingNo opinion

PodSecurityPolicy annotations

The annotations enumerated in this table can be specified under .metadata.annotations on the PodSecurityPolicy object.

Mapping PodSecurityPolicy annotations to Pod Security Standards
PSP AnnotationTypePod Security Standards Equivalent
seccomp.security.alpha.kubernetes.io
/defaultProfileName
MutatingNo opinion
seccomp.security.alpha.kubernetes.io
/allowedProfileNames
Validating

Baseline: "runtime/default," (Trailing comma to allow unset)

Restricted: "runtime/default" (No trailing comma)

localhost/* values are also permitted for both Baseline & Restricted.

apparmor.security.beta.kubernetes.io
/defaultProfileName
MutatingNo opinion
apparmor.security.beta.kubernetes.io
/allowedProfileNames
Validating

Baseline: "runtime/default," (Trailing comma to allow unset)

Restricted: "runtime/default" (No trailing comma)

localhost/* values are also permitted for both Baseline & Restricted.